Microsoft JET vulnerability still open to attacks, despite recent patch

A vulnerability in the Microsoft JET database engine is still open to attacks, even after Microsoft shipped an update earlier this week during the October 2018 Patch Tuesday.

More security news

The vulnerability came to light in mid-September after the Trend Micro Zero-Day Initiative (ZDI) posted details about it on its site. ZDI said Microsoft had failed to patch the flaw in due time and they decided to make the issue public, so users and companies could take actions to protect themselves against any exploitation attempts. The vulnerability, which was a zero-day at the time of its disclosure, raised some alarms, mainly due to the fact that the JET database engine is included in all versions of Windows, and provided attackers with a huge attack vector they could target.

The JET engine was one of Microsoft’s first forays in database technologies. It was developed in the 90s and has been used to power various Microsoft apps, with the most recognizable names being Access, Visual Basic, Microsoft Project, and IIS 3.0. JET has been deprecated and replaced by newer technologies in the meantime, but it is still included with Windows for legacy purpose.

Information security experts criticized Microsoft for failing to patch the vulnerability, mainly because it allowed a remote full compromise of the user’s system.

They also remembered that Microsoft was also late to patch a flaw in another legacy product last year –Office’s legacy Equation Editor app– which became one of the most heavily exploited vulnerabilities in the past year. Fortunately, Microsoft did see the problem with leaving the JET zero-day unpatched in the end and shipped an update this past Tuesday. But according to Mitja Kolsek, co-founder of 0patch, Microsoft’s recent JET patch is incomplete, and an attacker can still exploit the original vulnerability.

“At this point we will only state that we found the official fix to be slightly different to our micropatch, and unfortunately in a way that only limited the vulnerability instead of eliminating it,” Kolsek said. “We promptly notified Microsoft about it and will not reveal further details or proof-of-concept until they issue a correct fix.”

0Patch, who released a so-called custom “micro-patch” for the JET zero-day when it came out, released another micro-patch today until Microsoft corrects its original JET fix.

The good news is that until now, neither Microsoft nor 0Patch have seen hackers trying to exploit this vulnerability.

Furthermore, to exploit the vulnerability, a user must open/import a specially crafted Microsoft JET Database Engine file, meaning attacks can’t be automated at scale, and social engineering is still required to trick the user into opening a malicious file.